Event ID 2023: The local domain controller cannot complete demotion
On May 9, 2005 I wrote about a problem where my students were unable to raise Domain Functional level from Windows 2000 Native to Windows Server 2003 in an Active Directory workshop. The error said that the domain controller was too busy so the functional level could not be raised. I also documented the solution provided by Microsoft TechNet article which required modifying the registry.
This week I ran into a situation where a child domain was unable to demote it’s only domain controller. The Event Viewer pointed to an error 8614 The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. Here’s what the Event Viewer error looked like.
********************************************************************************
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2023
Date: 6/30/2005
Time: 9:19:24 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: PERTH
Description:
The local domain controller was unable to replicate changes to the following remote domain controller for the following directory partition.
Remote domain controller:
69086f2a-c836-476f-9e22-340c7b5e42db._msdcs.nwtraders2.msft
Directory partition:
CN=Schema,CN=Configuration,DC=nwtraders2,DC=msft
The local domain controller cannot complete demotion.
User Action
Investigate why replication between these two domain controllers cannot be performed. Then, try to demote this domain controller again.
Additonal Data
Error value:
8614 The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
********************************************************************************
Please ignore the typo in the above error (“Additonal” Data). Apparently, Microsoft doesn’t run spell-checker on error messages.
My student did a quick search on TechGalaxy’s homepage for the word “tombstone” and found the blog entry from May 2005. The solution provided for Event ID 2042: It has been too long since this machine replicated also worked to resolve the problem with demoting a child domain’s domain controller. Here’s the quick solution for your convenience.
1. Start registry editor (regedit.exe).
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
3. If the registry entry exists, modify it; otherwise create a new DWORD value by right-clicking Parameters.
4. Type Allow Replication With Divergent and Corrupt Partner and press Enter.
5. Double-click the entry and for the Value data type 1, then click OK.
6. Close the registry editor. You do not need to reboot after this change.
NOTE: Make this change on the both the source and destination Domain Controllers that are having replication problems. There is no need to reboot the computers.
Verify that replication is successful between the Domain Controllers and then demote the child domain’s Domain Controller. Go back and set Allow Replication With Divergent and Corrupt Partner back to 0. You won’t see the NTDS node in the registry on the Domain Controller that you’ve just demoted because the computer no longer has the Active Directory. You should make the change on the other Domain Controller that is still running the Active Directory.
In a classroom or test environment these issues are not unusual because of the old images that are used to setup the classroom network. In my class I discovered that the setup folks forgot to update the date and time on classroom computers which was set to November 14, 2004. We updated the date and time but that didn’t cure the tombstone lifetime issue on the Domain Controllers. The TechNet article I mentioned above has a good explanation on the cause of these problems.